Australia's top enterprises hit by laymen hackers in less than 24 hours

Enterprises saved by freeware IDS

A penetration test of 200 of Australia's largest enterprises has found severe network security flaws in 79 percent of those surveyed.

The tests, undertaken by University of Technology Sydney (UTS), saw 25 non-IT students breach security infrastructure and gain root or administration level access within the networks of Australia's largest companies, using hacking tools freely available on the Internet.

The students - predominately law practitioners - were given 24 hours to breach security infrastructure on each site and were able to access customer financial details, including confidential insurance information, on multiple occasions.

High-level business executives from the companies surveyed, rather than IT staff, were informed of the tests so the "day-to-day network security" of businesses could be tested.

Over half of those that passed the penetration tests had freeware IDSs.

Faculty of Law lecturer Ajoy Ghosh

Faculty of Law lecturer and LogicaCMG chief security officer, Ajoy Ghosh, who commissioned the test said students were able to breach 24 enterprises or 12 percent in less than an hour, in fact most systems were foiled in the first few minutes.

"More than half of those that passed the penetration test had freeware Intrusion Detection Systems (IDS), notably Snort; we only had two responses from security teams even though sites were down for more than an hour," Ghosh said.

"Organizations that couldn't be penetrated typically had Web servers were on hardened operating systems and many had done code reviews on Web pages and installed apps."

Ghosh pointed out that one in three intrusions occur on networks already protected by certified gateways, even those certified by government common criteria."

Most of the 21 percent of companies who passed the penetration tests owed their success to freeware Intrusion Detection Systems (IDSs), according to Ghosh.

"Over half of those that passed the test had freeware IDSs and already had or were implementing an Information Security Management System (ISMS)," he said.

"This proves that it's not costly to implement an IDS."

An equal distribution of Microsoft, Apache and Domino servers were used by the successful 21 percent.

High Tech Crime Centre federal agent Nigel Phair said it is "almost impossible" to collect accurate data on online security breaches because of the secrecy of the private sector.

"It is easier to sweep intrusions under the carpet and bring in a consultant to mop it up [than] to go to the Police," Phair said.

"People stand close to ATMs so they don't expose their passwords, but they do not apply real-world sensibilities in online environments.

"Users buy computers with antivirus as [OEM], but don't bother renewing updates and think they are still protected."

He said awareness of cybercrime has suffered from a lack of holistic security surveys, such as the recently-scrapped AusCERT Computer Crime and Security Survey, which Phair said has "left a hole" in the industry.

Have an opinion on this story? Click to e-mail Darren Pauli.